This page lists container supported HTTP attributes and defaults so that we can understand the limitations using those containers.

Tomcat

  • maxHttpHeaderSize : The maximum size of the request and response HTTP header, specified in bytes.
    Default: 8192 (8 KB)

  • maxHeaderCount : The maximum number of headers in a request that are allowed by the container. A request that contains more headers than the specified limit will be rejected. A value of less than 0 means no limit.
    Default: 100

  • maxPostSize : The maximum size in bytes of the POST which will be handled by the container FORM URL parameter parsing. The limit can be disabled by setting this attribute to a value less than or equal to 0.
    Default: 2097152 (2 megabytes).

Jetty

  • headerBufferSize : Set the size of the buffer to be used for request and response headers. An idle connection will at most have one buffer of this size allocated.
    Default: 4K

  • requestBufferSize : Set the size of the content buffer for receiving requests. These buffers are only used for active connections that have requests with bodies that will not fit within the header buffer (see #headerBufferSize).
    Default: 8K

  • responseBufferSize : Set the size of the content buffer for sending responses. These buffers are only used for active connections that are sending responses with bodies that will not fit within the header buffer.
    Default: 24K

Glassfish

  • header-buffer-length-in-bytes : Specifies the size of the buffer used by the request processing threads to read the request data.
    Default: 8K

  • receive-buffer-size-in-byte : Default: 4K

  • send-buffer-size-in-bytes : Default: 8K

Apache

  • LimitRequestFieldSize : Limits the size of the HTTP request header allowed from the client.
    Default: 8k

Sometimes, depending on headers added by Repose, the default container limits can be exceeded. If Repose is deployed as Root.WAR in a container and the header size limit is exceeded, then Repose will respond to the client with the same response code that was received from origin service.

Two example scenarios when it can exceed header size limit are:

  • When client sends request that has header with large value (container header size limit -1) and Repose add value to the same header and forwards request to origin service. Origin Service container will return 4XX response code which will be passed back to client by Repose.

  • When client sends request and Repose adds header value (example X-Roles header that contains all the roles for user that are sent back by Auth) and forwards request to origin service. Origin Service container will return 4XX response code which will be passed back to client by Repose. The Auth user client is using can have lots (hundreds) of roles. Repose returns 400 in this case.